r37555 - in /desktop/wheezy/gconf/debian: changelog patches/06-gconf-dbus-fix-use-after-free.patch patches/series

paulepanter-guest at users.alioth.debian.org paulepanter-guest at users.alioth.debian.org
Tue Apr 16 15:24:06 UTC 2013 

Author: paulepanter-guest
Date: Tue Apr 16 15:24:06 2013
New Revision: 37555

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=37555
Log:
Add patch to fix use after free in `gconf_engine_get_fuller`

There were hopes, that this fixes crashes in Evolution 3.4.x, but it
is still crashing probably due to another memory leak [1].

[1] https://bugzilla.gnome.org/show_bug.cgi?id=683524

Added:
    desktop/wheezy/gconf/debian/patches/06-gconf-dbus-fix-use-after-free.patch
Modified:
    desktop/wheezy/gconf/debian/changelog
    desktop/wheezy/gconf/debian/patches/series

Modified: desktop/wheezy/gconf/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/wheezy/gconf/debian/changelog?rev=37555&op=diff
==============================================================================
--- desktop/wheezy/gconf/debian/changelog [utf-8] (original)
+++ desktop/wheezy/gconf/debian/changelog [utf-8] Tue Apr 16 15:24:06 2013
@@ -1,6 +1,11 @@
 gconf (3.2.5-2) unstable; urgency=low
 
+  [ Josselin Mouette ]
   * Break libgconf2.0-cil < 2.24.2-3. Closes: #694340.
+
+  [ Paul Menzel ]
+  * 06-gconf-dbus-fix-use-after-free.patch: Add patch to fix use after
+    free in `gconf_engine_get_fuller`. Closes: #699424.
 
  -- Josselin Mouette <joss at debian.org>  Wed, 13 Mar 2013 10:56:19 +0100
 

Added: desktop/wheezy/gconf/debian/patches/06-gconf-dbus-fix-use-after-free.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/wheezy/gconf/debian/patches/06-gconf-dbus-fix-use-after-free.patch?rev=37555&op=file
==============================================================================
--- desktop/wheezy/gconf/debian/patches/06-gconf-dbus-fix-use-after-free.patch (added)
+++ desktop/wheezy/gconf/debian/patches/06-gconf-dbus-fix-use-after-free.patch [utf-8] Tue Apr 16 15:24:06 2013
@@ -1,0 +1,104 @@
+From 84884e9df7ce8c081a1c223c66a799b82545ff1e Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha at redhat.com>
+Date: Thu, 18 Oct 2012 16:08:02 -0400
+Subject: [PATCH] gconf-dbus: fix use after free
+
+gconf_engine_get_fuller is accessing freed memory.
+The problem is that it's referencing strings that are owned
+by a D-Bus message, and they go away when the D-Bus message is freed.
+
+This commit addresses the problem by duplicating the strings and
+freeing them later.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=667167
+---
+ gconf/gconf-dbus-utils.c |   10 +++++-----
+ gconf/gconf-dbus.c       |    9 ++++++---
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/gconf/gconf-dbus-utils.c b/gconf/gconf-dbus-utils.c
+index 6fd5bfa..92f5980 100644
+--- a/gconf/gconf-dbus-utils.c
++++ b/gconf/gconf-dbus-utils.c
+@@ -569,11 +569,11 @@ gconf_dbus_utils_get_entry_values (DBusMessageIter  *main_iter,
+ 				   gchar           **schema_name_p)
+ {
+   DBusMessageIter  struct_iter;
+-  gchar           *key;
++  const gchar     *key;
+   GConfValue      *value;
+   gboolean         is_default;
+   gboolean         is_writable;
+-  gchar           *schema_name;
++  const gchar     *schema_name;
+ 
+   g_return_val_if_fail (dbus_message_iter_get_arg_type (main_iter) == DBUS_TYPE_STRUCT,
+ 			FALSE);
+@@ -587,7 +587,7 @@ gconf_dbus_utils_get_entry_values (DBusMessageIter  *main_iter,
+   value = utils_get_value (&struct_iter);
+ 
+   dbus_message_iter_next (&struct_iter);
+-  schema_name = (gchar *) utils_get_optional_string (&struct_iter);
++  schema_name = utils_get_optional_string (&struct_iter);
+ 
+   dbus_message_iter_next (&struct_iter);
+   dbus_message_iter_get_basic (&struct_iter, &is_default);
+@@ -596,7 +596,7 @@ gconf_dbus_utils_get_entry_values (DBusMessageIter  *main_iter,
+   dbus_message_iter_get_basic (&struct_iter, &is_writable);
+ 
+   if (key_p)
+-    *key_p = key;
++    *key_p = g_strdup (key);
+ 
+   if (value_p)
+     *value_p = value;
+@@ -604,7 +604,7 @@ gconf_dbus_utils_get_entry_values (DBusMessageIter  *main_iter,
+     gconf_value_free (value);
+ 
+   if (schema_name_p)
+-    *schema_name_p = schema_name;
++    *schema_name_p = g_strdup (schema_name);
+   
+   if (is_default_p)
+     *is_default_p = is_default;
+diff --git a/gconf/gconf-dbus.c b/gconf/gconf-dbus.c
+index f167fc5..5610fcf 100644
+--- a/gconf/gconf-dbus.c
++++ b/gconf/gconf-dbus.c
+@@ -1252,12 +1252,13 @@ gconf_engine_get_fuller (GConfEngine *conf,
+   
+   if (schema_name && schema_name[0] != '/')
+     {
++      g_free (schema_name);
+       schema_name = NULL;
+     }
+   
+   if (schema_name_p)
+-    *schema_name_p = g_strdup (schema_name);
+-  
++    *schema_name_p = schema_name;
++
+   return val;
+ }
+ 
+@@ -2402,7 +2403,7 @@ handle_notify (DBusConnection *connection,
+ 	       GConfEngine *conf2)
+ {
+   GConfEngine *conf;
+-  gchar *key, *schema_name;
++  gchar *key = NULL, *schema_name = NULL;
+   gboolean is_default, is_writable;
+   DBusMessageIter iter;
+   GConfValue *value;
+@@ -2466,6 +2467,8 @@ handle_notify (DBusConnection *connection,
+ 
+   if (value)
+     gconf_value_free (value);
++  g_free (key);
++  g_free (schema_name);
+ 
+   if (!match)
+     return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+-- 
+1.7.10.4
+

Modified: desktop/wheezy/gconf/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/wheezy/gconf/debian/patches/series?rev=37555&op=diff
==============================================================================
--- desktop/wheezy/gconf/debian/patches/series [utf-8] (original)
+++ desktop/wheezy/gconf/debian/patches/series [utf-8] Tue Apr 16 15:24:06 2013
@@ -2,4 +2,5 @@
 02_fix_wrong_return_value.patch
 04_manpage.patch
 05_readd_gconf_engine_key_is_writable.patch
+06-gconf-dbus-fix-use-after-free.patch
 25_gconf-path-max-hurd.patch

More information about the pkg-gnome-commits mailing list